Post-Install User and Permissions

After installing Docker, two things need immediate attention: configuring your user to run Docker commands without sudo, and ensuring the daemon starts automatically when the server boots.

Run Docker Without sudo

By default, the Docker daemon socket is owned by root. This means every docker command requires sudo. To avoid this, add your user to a group called docker.

Security Warning

The docker group grants privileges equivalent to root. A user in this group can mount the host filesystem into a container and modify any file on the system. Only add trusted administrators.

Setup

# Create the docker group (it may already exist)
sudo groupadd docker

# Add your user to the group
sudo usermod -aG docker $USER

# Apply the new group membership to your current session
newgrp docker

Verify

Run a Docker command without sudo:

docker run --rm hello-world

If this still fails with a permission error, log out completely and log back in. The newgrp command creates a subshell with the new group, but some environments require a full logout to apply the change.

Enable Docker at Boot

On most modern Linux distributions (Ubuntu, Debian, CentOS, RHEL, Alma), Docker uses systemd. Enable both the Docker daemon and the containerd runtime to start automatically:

sudo systemctl enable docker.service
sudo systemctl enable containerd.service

After enabling, verify that Docker survives a reboot:

sudo reboot

After reconnecting:

systemctl status docker
docker ps

If Docker is not running, check the journal for errors:

sudo journalctl -u docker --no-pager -n 50

Understand the Docker Socket

The Docker daemon listens on a Unix socket at /var/run/docker.sock. Understanding this is important for troubleshooting and security:

ls -l /var/run/docker.sock

You should see output like:

srw-rw- 1 root docker 0 Feb 13 01:00 /var/run/docker.sock

This means:

Owner: root
Group: docker
Permissions: owner and group can read/write; no access for others

Anyone in the docker group can communicate with the daemon through this socket. Never change the socket permissions to be world-writable (chmod 666) -- this would give every user on the system root-equivalent access.

Check Group Membership

To see which users currently have Docker access:

# List all members of the docker group
getent group docker

# Check your own groups
id
groups

Troubleshooting Permission Issues

Symptom	Cause	Fix
`permission denied` when running `docker ps`	User not in the `docker` group	Run `sudo usermod -aG docker $USER`, then log out and back in
`docker ps` works in one terminal but not another	Group change not applied to all sessions	Log out completely and log back in, or run `newgrp docker`
`Cannot connect to the Docker daemon`	Daemon not running	Run `sudo systemctl start docker`
Socket shows wrong permissions	Manual permission change or package issue	Reinstall `docker-ce` to restore defaults

Key Takeaways

Add your user to the docker group to avoid typing sudo before every command.
The docker group is root-equivalent -- only add users who need and should have that level of access.
Enable both docker.service and containerd.service with systemctl enable so Docker starts at boot.
Always verify Docker survives a reboot before considering the setup complete.
Never change the Docker socket permissions to be world-writable.

What's Next

Continue to Docker Daemon Configuration to configure log rotation, networking, and security defaults.

Run Docker Without sudo​

Setup​

Verify​

Enable Docker at Boot​

Understand the Docker Socket​

Check Group Membership​

Troubleshooting Permission Issues​

Key Takeaways​

What's Next​